WordPress Attack Underway: WordPress Users Must Upgrade [ALERT]

**Pathan** · 14 September, 2009, 00:52 AM

Yeah just upgraded all my blogs, thank for the info

**deluxdon** · 14 September, 2009, 02:06 AM

Thanks for the alert.

BTW WP version above 2.7 safe or not ?

DON.

**oxuro** · 14 September, 2009, 03:28 AM

A mate of mine told me a day or two ago about that issue but to be honest i was so lazy to upgrade it (what the hell...i had just to press a button to upgrade it but still too lazy xD) anywayz after reading the article from mashable i went asap and upgrade it xD

**dodolls** · 14 September, 2009, 03:39 AM

Thanks for the alert. Upgrading my blog to the latest version. Are there any other clues that will tell you that your site has been attacked? Haven't updated my blog lately and I'm afraid that it might be infected.

**bogart** · 15 September, 2009, 14:12 PM

Some users are reporting memory issues with wordpress 2.8.x

Originally Posted by dodolls

Thanks for the alert. Upgrading my blog to the latest version. Are there any other clues that will tell you that your site has been attacked? Haven't updated my blog lately and I'm afraid that it might be infected.

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFER ER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

WordPress Attack Underway: WordPress Users Must Upgrade [ALERT]

**nessie** · 17 September, 2009, 15:24 PM

Is the "hidden" admin attacker account visible in Users section in WP admin interface or need to dig the database to find it?

**5starpix** · 17 September, 2009, 16:33 PM

I have had a issue with people going to

http://www.mydomain.com/2009/09/my-post-title/%quote

I have no idea where the %quote is coming from, but its only after the update to 2.8.x

I don't have that link on any of my pages

**Hellas** · 18 September, 2009, 08:22 AM

One of my upgraded and normal site just got defaced but I think it is up to host.

They somehow managed password for my wordpress installation and they just edited index.php, but hacker could easily delete the whole site...

It was WP 2.8.4.

**Snak3** · 18 September, 2009, 09:29 AM

Originally Posted by Hellas

One of my upgraded and normal site just got defaced but I think it is up to host.

They somehow managed password for my wordpress installation and they just edited index.php, but hacker could easily delete the whole site...

It was WP 2.8.4.

Really sad to hear that.

Have you checked your server logs?